|
Oliver, > I'm reviewing the setup of our outq authorities and found > we have many different settings. > We have about 60 printers/outq and several other outq w/o > printer attached. Step one - Find the OS/400 Security Reference V5R2 and open it to pages 197-200 Step two - Read the rest of my note that the "rules" that I describe have far too many exceptions for me to record them all here. Use the Security Reference manual as the definitive authority, but this should get you started... First rule - any user with *SPLCTL special authority can get to every spooled report in every out queue. Game over. If you don't want someone to see a report make sure that they don't have *SPLCTL. Second Rule - A user with *ALLOBJ special authority can achieve *SPLCTL Special Authority in two seconds. See rule 1. Third Rule - A user with *JOBCTL special authority can get to any spool file in any out queue where the out queue is defined as OPRCTL(*YES). The purpose of the OPRCTL(*YES) parameter is to allow system operators who have *JOBCTL Special Authority to bypass the object and out queue authorities. If you don't want someone to see what's in an out queue, make sure that either A) they don't have *JOBCTL and/or B) the out queue is defined as OPRCTL(*NO) Fourth Rule - If the AUTCHK parameter on the out queue is set to *OWNER, then only someone with ownership rights (the actual owner, a member of the Owner Group, or an adopted authority program) can manage (print, hold, release, delete, etc) spool files on the queue (unless rules 1, 2, or 3 apply). If the AUTCHK parameter on the out queue is set to *DTAAUT, then anyone with the correct Object and Data Authority rights (*USE, *CHANGE, *ALL, etc.) can manage spool files on the queue (and rules 1, 2, or 3 still apply). Fifth Rule - and here it starts to get complicated :) - If a user wants to View, Copy or Send data in a report, the user and the out queue must have one of these configurations: A) If the DSPDTA Parameter on the out queue (*NO), then the user can only see their own files (unless rules 1, 2, or 3 apply). B) If the DSPDTA Parameter on the out queue (*YES), then the user can see all files in the out queue. C) If the DSPDTA Parameter on the out queue (*OWNER), then , and that is the only person who can see those files (Unless rules 1, or 2 apply) Note that this last rule does not address who can print something. So in C) above, a user with *JOBCTL can still manage the spool file object and so cause something to print, and look at it there. Whew! There is more, but go grab the Security Reference Guide and I think you can muscle through it from there. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
